Security Review Skill for Construction Systems

This skill ensures all construction software systems follow security best practices, protecting sensitive project data, financial information, and business intelligence.

When to Activate

• Building ERP/BIM system integrations
• Creating construction dashboards
• Handling cost/financial data
• Building document management systems
• Creating APIs for field data collection
• Integrating with external platforms (Procore, PlanGrid, etc.)
• Working with subcontractor/vendor data
• Processing payment applications

Construction-Specific Security Concerns

1. Financial Data Protection

# CRITICAL: Construction financial data security

# ❌ NEVER Do This
project_budget = 15000000  # Hardcoded in source
margin_percentage = 0.18   # Business-sensitive info in code

# ✅ ALWAYS Do This
import os
from cryptography.fernet import Fernet

# Load from secure configuration
project_config = load_secure_config(os.environ['PROJECT_CONFIG_PATH'])

# Encrypt sensitive data at rest
def encrypt_financial_data(data: dict) -> bytes:
    key = os.environ.get('ENCRYPTION_KEY')
    f = Fernet(key)
    return f.encrypt(json.dumps(data).encode())

Financial Data Checklist

• Cost estimates encrypted at rest
• Margin/markup data not exposed in logs
• Payment information tokenized
• Historical pricing protected from competitors
• Bid amounts secured until opening

2. BIM/CAD Data Security

# BIM data often contains proprietary design information

# ❌ NEVER store BIM directly in public cloud without encryption
s3.upload_file('model.ifc', bucket='public-bucket')

# ✅ ALWAYS encrypt and control access
def upload_bim_secure(file_path: str, project_id: str):
    # Encrypt file
    encrypted_path = encrypt_file(file_path)

    # Generate pre-signed URL with expiration
    presigned_url = s3.generate_presigned_url(
        'get_object',
        Params={
            'Bucket': 'secure-bim-bucket',
            'Key': f'{project_id}/{os.path.basename(file_path)}'
        },
        ExpiresIn=3600  # 1 hour expiration
    )

    # Log access
    audit_log.info(f"BIM access granted: {project_id}")

    return presigned_url

BIM/CAD Checklist

• IFC/RVT files encrypted at rest
• Access logged for audit trail
• Time-limited download links
• Version control with access tracking
• No design data in error messages

3. Subcontractor/Vendor Data

# Subcontractor data includes business-sensitive information

class SubcontractorDataHandler:
    """Secure handling of subcontractor data"""

    # Fields that require encryption
    SENSITIVE_FIELDS = [
        'insurance_policy_number',
        'bank_account',
        'tax_id',
        'bonding_capacity',
        'historical_pricing'
    ]

    def store_subcontractor(self, data: dict) -> str:
        # Encrypt sensitive fields
        for field in self.SENSITIVE_FIELDS:
            if field in data:
                data[field] = self.encrypt(data[field])

        # Store with audit trail
        sub_id = self.db.insert(data)
        self.audit.log(f"Subcontractor created: {sub_id}")

        return sub_id

    def get_subcontractor(self, sub_id: str, requester_id: str) -> dict:
        # Check authorization
        if not self.can_access(requester_id, sub_id):
            raise PermissionError("Unauthorized access to subcontractor data")

        # Log access
        self.audit.log(f"Subcontractor accessed: {sub_id} by {requester_id}")

        # Return with decrypted sensitive fields (only to authorized users)
        return self.decrypt_sensitive_fields(self.db.get(sub_id))

Vendor Data Checklist

• Insurance/bonding information encrypted
• Bank details protected (PCI compliance)
• Tax IDs masked in UI (show last 4 digits only)
• Pricing history access-controlled
• Certificate expiration notifications secure

4. Field Data Collection Security

# Mobile/field data collection must be secure

from datetime import datetime, timedelta
import hashlib

class FieldDataCollector:
    """Secure field data collection"""

    def validate_photo_submission(self, photo_data: dict) -> bool:
        # Verify GPS timestamp is recent (within 24 hours)
        photo_time = datetime.fromisoformat(photo_data['timestamp'])
        if datetime.now() - photo_time > timedelta(hours=24):
            raise ValueError("Photo timestamp too old - possible replay attack")

        # Verify file hash matches
        file_hash = hashlib.sha256(photo_data['content']).hexdigest()
        if file_hash != photo_data['declared_hash']:
            raise ValueError("File integrity check failed")

        # Validate GPS coordinates are within project boundary
        if not self.is_within_project_bounds(
            photo_data['lat'],
            photo_data['lon'],
            photo_data['project_id']
        ):
            self.audit.warn(f"Photo from outside project bounds: {photo_data}")

        return True

    def submit_daily_report(self, report: dict, user_id: str) -> str:
        # Verify user is assigned to project
        if not self.is_assigned_to_project(user_id, report['project_id']):
            raise PermissionError("User not assigned to this project")

        # Sign report with user credentials
        report['signature'] = self.sign_report(report, user_id)
        report['submitted_at'] = datetime.now().isoformat()

        return self.db.insert(report)

Field Data Checklist

• GPS data validated for reasonableness
• Photo timestamps verified
• File integrity checks (hashing)
• User authentication for submissions
• Offline data sync secured

5. CWICR Database Security

# CWICR contains proprietary cost data

class CWICRAccessControl:
    """Access control for CWICR database"""

    TIERS = {
        'basic': ['public_rates', 'standard_descriptions'],
        'professional': ['regional_rates', 'productivity_factors'],
        'enterprise': ['custom_rates', 'historical_data', 'analytics']
    }

    def search(self, query: str, user_id: str) -> list:
        # Get user tier
        tier = self.get_user_tier(user_id)

        # Limit results based on tier
        allowed_fields = self.TIERS[tier]

        # Execute search with field restrictions
        results = self.vector_search(
            query=query,
            fields=allowed_fields,
            limit=self.get_tier_limit(tier)
        )

        # Log search for analytics
        self.audit.log(f"CWICR search: {user_id}, query='{query[:50]}...'")

        return results

    def export_data(self, user_id: str, format: str) -> bytes:
        # Enterprise only
        if self.get_user_tier(user_id) != 'enterprise':
            raise PermissionError("Export requires enterprise tier")

        # Watermark exported data
        data = self.get_exportable_data(user_id)
        watermarked = self.add_watermark(data, user_id)

        return watermarked

CWICR Checklist

• Tiered access control implemented
• API rate limiting per user/tier
• Data exports watermarked
• Bulk download restrictions
• Competitor access monitoring

6. Integration Security (Procore, PlanGrid, etc.)

# Secure OAuth integration with construction platforms

class ConstructionPlatformIntegration:
    """Secure integration with external platforms"""

    def __init__(self, platform: str):
        self.platform = platform
        # Load credentials from secure vault
        self.credentials = self.vault.get(f'{platform}_oauth')

    def authenticate(self) -> str:
        # Use OAuth 2.0 with PKCE
        code_verifier = secrets.token_urlsafe(32)
        code_challenge = base64.urlsafe_b64encode(
            hashlib.sha256(code_verifier.encode()).digest()
        ).decode().rstrip('=')

        # Never store tokens in code or logs
        token = self.oauth_flow(code_verifier, code_challenge)

        # Store token securely
        self.secure_token_store.set(
            key=f'{self.platform}_token',
            value=token,
            ttl=token['expires_in']
        )

        return token

    def sync_data(self, project_id: str) -> dict:
        # Validate project access before sync
        if not self.has_project_access(project_id):
            raise PermissionError(f"No access to project {project_id}")

        # Rate limit syncs
        self.rate_limiter.check(f'sync_{self.platform}')

        # Sync with retry and error handling
        try:
            data = self.api_client.get_project_data(project_id)
            self.validate_incoming_data(data)
            return data
        except APIError as e:
            # Log error without sensitive details
            self.logger.error(f"Sync failed for {project_id}: {type(e).__name__}")
            raise

Integration Checklist

• OAuth 2.0 with PKCE implemented
• Tokens stored in secure vault (not env vars)
• Token refresh automated
• API rate limiting respected
• Webhook signatures verified
• Data validation on incoming data

7. Document Management Security

# Construction documents often contain confidential information

class SecureDocumentManager:
    """Secure document handling for construction"""

    # Document classification levels
    CLASSIFICATIONS = {
        'public': [],
        'internal': ['daily_reports', 'schedules'],
        'confidential': ['contracts', 'bids', 'financials'],
        'restricted': ['legal', 'hr', 'insurance']
    }

    def upload_document(self, file: bytes, metadata: dict, user_id: str) -> str:
        # Scan for malware
        if not self.malware_scan(file):
            raise SecurityError("Malware detected in uploaded file")

        # Classify document
        classification = self.classify_document(metadata)

        # Check user can upload to this classification
        if not self.can_upload(user_id, classification):
            raise PermissionError(f"Cannot upload {classification} documents")

        # Encrypt based on classification
        if classification in ['confidential', 'restricted']:
            file = self.encrypt(file)

        # Store with audit trail
        doc_id = self.storage.put(file, metadata)
        self.audit.log(f"Document uploaded: {doc_id} by {user_id}")

        return doc_id

    def download_document(self, doc_id: str, user_id: str) -> bytes:
        # Check access
        doc = self.storage.get_metadata(doc_id)
        if not self.can_access(user_id, doc['classification']):
            raise PermissionError("Access denied")

        # Log download
        self.audit.log(f"Document downloaded: {doc_id} by {user_id}")

        # Return decrypted content
        return self.decrypt(self.storage.get(doc_id))

Document Checklist

• Malware scanning on upload
• Document classification system
• Role-based access control
• Download audit logging
• Encryption for sensitive documents
• Retention policies enforced

Pre-Deployment Security Checklist for Construction Systems

Data Protection

• Financial data encrypted at rest and in transit
• BIM/CAD files protected with access control
• Subcontractor PII secured (GDPR/CCPA compliant)
• CWICR data access tiered appropriately
• Backup encryption enabled

Authentication & Authorization

• Multi-factor authentication for admin users
• Role-based access control implemented
• Session management secure (timeout, single device)
• API keys rotated regularly
• OAuth integrations use PKCE

Audit & Compliance

• All data access logged
• Logs tamper-proof (append-only)
• Retention policies documented
• Data export capabilities for audits
• Compliance reports automated

Integration Security

• All external APIs authenticated
• Webhook signatures verified
• Data validation on all inputs
• Rate limiting implemented
• Error messages sanitized

Field Data Security

• Mobile apps use certificate pinning
• Offline data encrypted
• GPS/timestamp validation
• Photo integrity verification
• Secure sync protocols

Resources

• OWASP Top 10
• NIST Cybersecurity Framework
• CIS Controls for Construction
• ISO 27001 for Construction

---

Remember: Construction data includes financial, legal, and competitive information. A breach can result in lost bids, legal liability, and reputational damage. Security is not optional.